bmad-auto

SUSPICIOUS: the skill is broadly coherent with its stated purpose as an implementation orchestrator, but it has a large action surface: persistent sub-agents, transitive invocation of many other skills, repository-wide reads, code changes, tests, Docker/infrastructure validation, and autonomous workflow progression. There is no clear credential theft, third-party proxying, or malicious exfiltration, so this is not malware; the main concerns are medium operational risk, transitive trust in downstream skills, and prompt-injection exposure from project content combined with write/exec capabilities.